Microsoft plans to roll out new default settings in the next major Windows 11 release that delay brute force attacks against system accounts.
Brute force attacks are commonly used by hackers to gain access to systems. Remote Desktop Protocol attacks, in particular, are frequently used to gain remote access to Windows machines. Microsoft notes that human-operated ransomware attacks frequently use Remote Desktop Protocol brute-force attacks to break into accounts.
One of the major shortcomings of Windows is that there is no default throttling that delays brute force attacks. Although organizations can implement additional protections, such as going passwordless or enabling two-factor authentication, most Windows systems are not protected against attacks.
Launched in the latest Windows 11 Insider builds and coming soon to all Windows 11 devices, a set of new account lockout policies improves brute force protection on the operating system.
Protections delay brute force attacks by locking accounts after a certain number of failed login attempts. The default configuration locks accounts after 10 invalid login attempts for 10 minutes. Protection is available for all account types, including administrator accounts, by default.
Windows 11 administrators can modify the default configuration using the Group Policy Editor:
- Use Windows-R to open the run box.
- Type gpedit.msc and hit the Enter key to load the Group Policy Editor.
- Go to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Account Lockout Policy.
- Double-clicking on any of the four policies listed displays options to change the defaults.
The four policies in question are:
- Account Lockout Duration — Sets the length of time the account will be locked out if too many invalid login attempts are recorded by the Windows 11 system.
- Account lockout threshold — sets the number of failed login attempts that Windows uses to determine if the account should be locked out.
- Allow Administrator Account Lockout — Specifies whether administrator accounts should also be locked.
- Reset the account lockout counter after — when the lockout counter is reset.
Microsoft plans to roll out the new brute force protections in the next feature update, which is expected to be released in the coming months. The new defaults should limit human-operated ransomware attacks that attempt to significantly penetrate Windows PCs.
Now you: what do you think of this new protection?